All tools in the Solaris Management Console display information
in the bottom section of the page or at the left side of a wizard panel. Choose
Help at any time to find additional information about performing tasks in
this interface.

Assign the role to a user.

Tip –

After filling in the properties of the role, the last dialog box
prompts you for a user for the role.

Example 9–1 Creating a Role for the System Administrator Rights Profile

In this example, the new role can do system administration tasks that
are not connected to security. The role is created by performing the preceding
procedure with the following parameters:

Role name: sysadmin

Role full name: System Administrator

Role description: Performs non-security admin tasks

Rights profile: System Administrator

This rights profile is at the top of the list of profiles that are included
in the role.

Example 9–2 Creating a Role for the Operator Rights Profile

The Operator rights profile can manage printers and back up the system
to offline media. You might want to assign the role to one user on each shift.
To do so, you would select the role mailing list option in the Step 1: Enter
a Role Name dialog box. The role is created by performing the preceding procedure
with the following parameters:

Role name: operadm

Role full name: Operator

Role description: Backup operator

Rights profile: Operator

This
rights profile must be at the top of the list of profiles that are included
in the role.

Example 9–3 Creating a Role for a Security-Related Rights Profile

By default, the only rights profile that contains security-related commands
and rights is the Primary Administrator profile. If you want to create a role
that is not as powerful as Primary Administrator, but can handle some security-related
tasks, you must create the role.

In the following example, the role protects devices. The role is created
by performing the preceding procedure with the following parameters:

Role
name: devicesec

Role full name: Device Security

Role description: Configures Devices

Rights profile: Device Security

In the following example, the role secures systems and hosts on the
network. The role is created by performing the preceding procedure with the
following parameters:

Role
name: netsec

Role full name: Network Security

Role description: Handles IPsec, IKE, and SSH

Rights profile: Network Security

Example 9–4 Creating a Role for a Rights Profile With Limited Scope

A number of rights profiles are of limited scope. In this example, the
sole task of the role is to manage DHCP. The role is created by performing
the preceding procedure with the following parameters:

Role name: dhcpmgt

Role full name: DHCP Management

Role description: Manages Dynamic Host Config Protocol

Rights profile: DHCP Management

Example 9–5 Modifying a User's Role Assignment

In this example, a role is added to an existing user. The user's role
assignment is modified by clicking the User Accounts icon in the Users tool
in the Solaris Management Console, double-clicking the user, and following
the online help to add a role to the user's capabilities.

Troubleshooting

Check the following if the role does not have the
capabilities that it should:

Are the role's rights profiles listed in the GUI from most
to least powerful?

For example, if the All rights
profile is at the top of the list, then no commands are run with security
attributes. A profile that contains commands with security attributes must
precede the All rights profile in the list.

Do the commands in the role's rights profiles have the appropriate
security attributes?

For example, when the policy is suser,
some commands require uid=0 rather than euid=0.

Is the rights profile defined in the appropriate name service
scope? Is the role operating in the name service scope where the rights profile
is defined?

Has the name service cache, svc:/system/name-service-cache, been restarted?

The nscd daemon
can have a lengthy time-to-live interval. By restarting the daemon, you update
the name service with current data.